package imageutil import ( "context" "encoding/json" "sync" "time" "github.com/containerd/containerd/content" "github.com/containerd/containerd/images" "github.com/containerd/containerd/leases" "github.com/containerd/containerd/platforms" "github.com/containerd/containerd/reference" "github.com/containerd/containerd/remotes" "github.com/containerd/containerd/remotes/docker" intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/moby/buildkit/util/contentutil" "github.com/moby/buildkit/util/leaseutil" "github.com/moby/buildkit/util/resolver/limited" "github.com/moby/buildkit/util/resolver/retryhandler" digest "github.com/opencontainers/go-digest" ocispecs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" ) type ContentCache interface { content.Ingester content.Provider content.Manager } var leasesMu sync.Mutex var leasesF []func(context.Context) error func CancelCacheLeases() { leasesMu.Lock() for _, f := range leasesF { f(context.TODO()) } leasesF = nil leasesMu.Unlock() } func AddLease(f func(context.Context) error) { leasesMu.Lock() leasesF = append(leasesF, f) leasesMu.Unlock() } func Config(ctx context.Context, str string, resolver remotes.Resolver, cache ContentCache, leaseManager leases.Manager, p *ocispecs.Platform) (digest.Digest, []byte, error) { // TODO: fix buildkit to take interface instead of struct var platform platforms.MatchComparer if p != nil { platform = platforms.Only(*p) } else { platform = platforms.Default() } ref, err := reference.Parse(str) if err != nil { return "", nil, errors.WithStack(err) } if leaseManager != nil { ctx2, done, err := leaseutil.WithLease(ctx, leaseManager, leases.WithExpiration(5*time.Minute), leaseutil.MakeTemporary) if err != nil { return "", nil, errors.WithStack(err) } ctx = ctx2 defer func() { // this lease is not deleted to allow other components to access manifest/config from cache. It will be deleted after 5 min deadline or on pruning inactive builder AddLease(done) }() } desc := ocispecs.Descriptor{ Digest: ref.Digest(), } if desc.Digest != "" { ra, err := cache.ReaderAt(ctx, desc) if err == nil { info, err := cache.Info(ctx, desc.Digest) if err == nil { if ok, err := contentutil.HasSource(info, ref); err == nil && ok { desc.Size = ra.Size() mt, err := DetectManifestMediaType(ra) if err == nil { desc.MediaType = mt } } } } } // use resolver if desc is incomplete if desc.MediaType == "" { _, desc, err = resolver.Resolve(ctx, ref.String()) if err != nil { return "", nil, err } } fetcher, err := resolver.Fetcher(ctx, ref.String()) if err != nil { return "", nil, err } if desc.MediaType == images.MediaTypeDockerSchema1Manifest { return readSchema1Config(ctx, ref.String(), desc, fetcher, cache) } children := childrenConfigHandler(cache, platform) dslHandler, err := docker.AppendDistributionSourceLabel(cache, ref.String()) if err != nil { return "", nil, err } handlers := []images.Handler{ retryhandler.New(limited.FetchHandler(cache, fetcher, str), func(_ []byte) {}), dslHandler, children, } if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil { return "", nil, err } config, err := images.Config(ctx, cache, desc, platform) if err != nil { return "", nil, err } dt, err := content.ReadBlob(ctx, cache, config) if err != nil { return "", nil, err } return desc.Digest, dt, nil } func childrenConfigHandler(provider content.Provider, platform platforms.MatchComparer) images.HandlerFunc { return func(ctx context.Context, desc ocispecs.Descriptor) ([]ocispecs.Descriptor, error) { var descs []ocispecs.Descriptor switch desc.MediaType { case images.MediaTypeDockerSchema2Manifest, ocispecs.MediaTypeImageManifest: p, err := content.ReadBlob(ctx, provider, desc) if err != nil { return nil, err } // TODO(stevvooe): We just assume oci manifest, for now. There may be // subtle differences from the docker version. var manifest ocispecs.Manifest if err := json.Unmarshal(p, &manifest); err != nil { return nil, err } descs = append(descs, manifest.Config) case images.MediaTypeDockerSchema2ManifestList, ocispecs.MediaTypeImageIndex: p, err := content.ReadBlob(ctx, provider, desc) if err != nil { return nil, err } var index ocispecs.Index if err := json.Unmarshal(p, &index); err != nil { return nil, err } if platform != nil { for _, d := range index.Manifests { if d.Platform == nil || platform.Match(*d.Platform) { descs = append(descs, d) } } } else { descs = append(descs, index.Manifests...) } case images.MediaTypeDockerSchema2Config, ocispecs.MediaTypeImageConfig, docker.LegacyConfigMediaType, intoto.PayloadType: // childless data types. return nil, nil default: return nil, errors.Errorf("encountered unknown type %v; children may not be fetched", desc.MediaType) } return descs, nil } } // specs.MediaTypeImageManifest, // TODO: detect schema1/manifest-list func DetectManifestMediaType(ra content.ReaderAt) (string, error) { // TODO: schema1 dt := make([]byte, ra.Size()) if _, err := ra.ReadAt(dt, 0); err != nil { return "", err } return DetectManifestBlobMediaType(dt) } func DetectManifestBlobMediaType(dt []byte) (string, error) { var mfst struct { MediaType *string `json:"mediaType"` Config json.RawMessage `json:"config"` Manifests json.RawMessage `json:"manifests"` Layers json.RawMessage `json:"layers"` } if err := json.Unmarshal(dt, &mfst); err != nil { return "", err } mt := images.MediaTypeDockerSchema2ManifestList if mfst.Config != nil || mfst.Layers != nil { mt = images.MediaTypeDockerSchema2Manifest if mfst.Manifests != nil { return "", errors.Errorf("invalid ambiguous manifest and manifest list") } } if mfst.MediaType != nil { switch *mfst.MediaType { case images.MediaTypeDockerSchema2ManifestList, ocispecs.MediaTypeImageIndex: if mt != images.MediaTypeDockerSchema2ManifestList { return "", errors.Errorf("mediaType in manifest does not match manifest contents") } mt = *mfst.MediaType case images.MediaTypeDockerSchema2Manifest, ocispecs.MediaTypeImageManifest: if mt != images.MediaTypeDockerSchema2Manifest { return "", errors.Errorf("mediaType in manifest does not match manifest contents") } mt = *mfst.MediaType } } return mt, nil }